Privacy Notice for Research Participants

Ember Technology Ltd, as the Data Controller, takes its obligation under the UK GDPR very seriously and will always ensure personal data is collected, handled, stored and shared in a secure manner. This Privacy Notice outlines how your personal data will be processed, in relation to research projects carried out by Ember Technology Ltd. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Officer (ICO), the regulator for data protection in the UK.

The UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018, protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with personal data.
A key element to protecting personal data is the principle to process individuals’ data lawfully and fairly. This means we need to provide information on how we process personal data and we should only process the personal data if there is a legal basis specified in the (UK GDPR) for doing so.

The term ‘processing’ refers to any operations performed on personal data, whether these operations are automated, or not. Common examples of processing are collecting, sharing, recording, organising, structuring, storing, modifying, consulting, using, publishing, combining, erasing and destroying personal data.

Personal data

4. Personal data means any information that relates to or is capable of identifying you, the research participant, as an individual. This can include direct identifiers such as your name, address/postcode, email address, and biometric data (e.g., voice). It also includes indirect identifiers such as your gender, date of birth, place of work, or other information such as your opinions or thoughts, that can be combined to identify you.

5. We may also collect and use personal data which is referred to as ‘special category’ personal data in the UK GDPR. Special category personal data is data relating to: race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where this is used for identification purposes), health data, sex life or sexual orientation.

Collecting and using your personal data

6. Prior to providing your consent you will be given Participant Information that will provide details the research being carried out, how your personal data will be collected and the specific purpose for which it will be used. Researchers will only collect information that is essential for the purpose of the research. For the purpose of this specific research, we will collect the following:

If you are participating as a Health Professional, we will be collecting:
• Your name – so that we can address you during the research
• Your contact details – so that we can contact you about the research
• Your job role and employment details – so that we can understand the context of your professional work in relation to the research.
• Your language preferences and accessibility needs – so that we can make the research easier for you to participate in.
• Your opinions – so that we can factor your opinions into the research.

If you are participating as a member of the public, we will be collecting:
• Your name – so that we can address you during the research
• Your contact details – so that we can contact you about the research
• Your residency, family, relationship and employment status – so that we can understand the context of your situation in relation to the research and ensure that a broad range of circumstances are represented in the research
• Your gender preferences and ethnicity –to ensure that there is representation from a broad range of people in the research.
• Your language preferences and accessibility needs – so that we can make the research easier for you to participate in.
• Your opinions – so that we can factor your opinions into the research.

Legal basis for processing your personal data

7. The UK GDPR requires us to have a valid legal reason to process and use personal data about you. This is often called a ‘legal basis’. The UK GDPR requires us to be explicit with you about the legal basis upon which we rely in order to process information about you.

8. In the context of research, the lawful basis upon which we will process your personal data is usually where “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6 of UK GDPR).

9. We will also process personal data as permitted by Article 9, of the UK GDPR which permits processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

10. Where we need to rely on a different legal condition, such as consent, we will inform you of this in the Participant Information provided to you.
Data sharing

11. Your information will usually be shared within the Ember Technology Ltd research team conducting the project/study you are participating in, so that they can identify you as a participant and contact you about the research project/study.

12. Other trusted organisations (such as commissioning organisations, public institutions and auditing authorities) may also be given access to personal data, or anonymised derivatives of data provided by you, and used in a research project/study for monitoring purposes and/or to carry out an audit of the project/study to ensure that the research complies with applicable regulations.
Individuals from regulatory authorities (people who check that we are carrying out the project/study correctly) may require access to your records. All of these people have a duty to observe and respect the confidentiality of personal data in line with legal requirements, including requirements under the UK GDPR requirements.

13. If we are working with other organisations and individuals and information is shared about you, we will inform you in the Participant Information given to you. Information shared will be on a ‘need to know’ basis relative to achieving the research project’s objectives, and with all appropriate safeguards in place to ensure the security of your information. We will enter into appropriate data sharing agreements with such organisations.

Transferring data outside Europe

14. In the majority of instances your personal data will be processed by Ember Technology Ltd researchers only. However, this may also involve collaborating with other trusted organisations (such as commissioning organisations, public institutions and auditing authorities). Where we will process personal data in collaboration with other organisations, we will enter into appropriate data sharing and/or processing agreements which will specify the safeguards that have to be in place to comply with UK data protection law.

15. In any instances in which your personal data might be used as part of a collaboration with researchers based outside the EU, we will enter into appropriate data processing agreements with those organisations, which will specify all necessary safeguards that have to be in place to comply with the UK GDPR requirements for safeguarding personal data that is processed in territories outside of the UK and the EU on the basis of rights and protections that apply to the processing of personal data in the UK. You will be informed if your personal data is to be processed by researchers outside of the EU.

Storage and security

16. Ember Technology Ltd takes a robust approach to protecting the information it holds with dedicated storage areas for research data with controlled access.

17. Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that our staff members are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff and existing staff regularly undergo re-training and expert advice is also available.

Storage and security

18. Your information will not be kept for longer than is necessary and will usually be kept in an anonymised or pseudonymised format for no longer than six weeks beyond the completion of the study. In the event that we need to hod data for longer than this period details will be given in the Participant Information that we send out to you.

Your rights under data protection

19. Under the UK GDPR you have the following rights:
• to obtain access to, and copies of, the personal data that we hold about you
• to require that we cease processing your personal data if the processing is causing you damage or distress;
• to require us to correct the personal data we hold about you if it is incorrect;
to require us to erase your personal data;
• to require us to restrict our data processing activities;
• to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller;
• to object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights.

20. Your rights to access, change (rectify), or remove your information (erasure) may be limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we may not always be able to remove the information that we have already obtained. We must comply with a request to erase personal data, or to rectify personal data that is inaccurate unless there are grounds for refusing the request specified in the UK GDPR. To safeguard your rights, we will use the minimum personally-identifiable information possible.

21. If you submit a request for access to your own personal data (subject access request) Ember Technology Ltd will disclose to you your personal data, which you are entitled to receive on the basis of your request. This will take place within one month of your request, unless there is a justification for extending the response time by a further two months.

22 If you are not satisfied with how Ember Technology Ltd has handled your information or dealt with any request for your information, you have the right to complain (See section 25 below).

23 None of the above precludes your right to withdraw consent from participating in the research study at any time. However, note as stated in section 20, we may not always be able to remove the information that we have already obtained; and if that is the case, we should explain the reasons for this and the legal justification.

Contact us

24. If you have any questions about the research project you are participating in, please contact the researcher conducting the project using the contact details you were supplied with in the Participant Information given to you.

Exercising your rights including the right to complain

25. If you want to exercise any of the rights specified in section 19 above, or to complain if you are unhappy with the way your information has been used, you should contact

Data Protection Officer, Ember Technology Ltd (contact details below),

Steven Wexelstein, Director of Operations
Saltire House
Pentland Park

26. Ember Technology Ltd will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the UK GDPR. Please note that we will keep a record of your communications to help us resolve any issues which you raise.

How to Make a Complaint to the Regulator

27. If you are dissatisfied with how Ember technology Ltd has dealt with a request you make relating to your personal data, or you believe that your data protection or privacy rights have been infringed, you should contact the UK Information Commissioner’s Office (ICO), which oversees data protection compliance in the UK. Details of how to do this can be found at: (